def inner(*args, **kwargs):
user = kwargs['user']
keycloak = di.get(KeycloakClient)
if not user or not any(
keycloak.user_check_role(user, role) for role in roles):
raise Forbidden(forbidden_message)
return fn(*args, **kwargs)
def create_openstack_client(self, project=None):
"""
Create OpenStack SDK connection (client). Optional `project` argument
can be used to change project, default is project from the region
(:attr:`Region.project`).
Returns:
openstack.connection.Connection
"""
vault = di.get(Vault)
credentials = vault.read(self.openstack_credentials)
if not credentials:
raise RuntimeError(
f'Missing credentials in vault; {vault!r} {self.openstack_credentials}'
)
connection = openstack.connection.Connection(
auth=dict(
auth_url=self.openstack_url,
username=credentials['username'],
password=credentials['password'],
project_name=project or self.openstack_project,
domain_name=self.openstack_domain_name,
),
region_name="regionOne",
interface="public",
identity_api_version=3,
)
connection.authorize()
return connection
def decode_token(token):
keycloak = di.get(KeycloakClient)
token = keycloak.token_info(token)
if not token['active']:
raise Unauthorized('Token is not valid')
return token
def inner(*args, **kwargs):
keycloak = di.get(KeycloakClient)
if 'policy_id' in kwargs:
current_user = kwargs['user']
group_name = f'policy-{kwargs["policy_id"]}-owners'
group_list = keycloak.user_group_list(current_user)
groups = {group['name']: group for group in group_list}
if group_name in groups.keys():
# User has access to delete/edit policy
return func(*args, **kwargs)
else:
# User does not have access to delete/edit policy
return problem(403, 'Forbidden', 'You do not own this policy')
else:
return func(*args, **kwargs)
def create_tower_client(self) -> Tower:
"""
Create Tower client.
:returns: :class:`rhub.tower.client.Tower`
:raises: `RuntimeError` if failed to create client due to missing
credentials in vault
:raises: `Exception` any other errors
"""
vault = di.get(Vault)
credentials = vault.read(self.credentials)
if not credentials:
raise RuntimeError(
f'Missing credentials in vault; {vault!r} {self.credentials}')
return Tower(
url=self.url,
username=credentials['username'],
password=credentials['password'],
verify_ssl=self.verify_ssl,
)
def user_is_admin(user_id):
"""Check if user is admin, has :const:`rhub.auth.ADMIN_ROLE` role."""
keycloak = di.get(KeycloakClient)
return keycloak.user_check_role(user_id, ADMIN_ROLE)
def user_name(self):
if self.user_id:
return di.get(KeycloakClient).user_get(self.user_id)['username']
return None
def group_name(self):
if self.group_id:
return di.get(KeycloakClient).group_get(self.group_id)['name']
return None
def get_user_project_name(self, user_id):
user_name = di.get(KeycloakClient).user_get(user_id)['username']
return f'ql_{user_name}'
def users_group_name(self):
if self.users_group:
return di.get(KeycloakClient).group_get(self.users_group)['name']
return None
def owner_group_name(self):
return di.get(KeycloakClient).group_get(self.owner_group)['name']
def basic_auth(username, password, required_scopes=None):
keycloak = di.get(KeycloakClient)
return keycloak.login(username, password)
def setup_keycloak():
keycloak = di.get(KeycloakClient)
groups = {group['name']: group for group in keycloak.group_list()}
roles = {role['name']: role for role in keycloak.role_list()}
if ADMIN_GROUP not in groups:
logger.info(f'Creating admin group "{ADMIN_GROUP}"')
admin_group_id = keycloak.group_create({'name': ADMIN_GROUP})
groups[ADMIN_GROUP] = keycloak.group_get(admin_group_id)
if ADMIN_ROLE not in roles:
logger.info(f'Creating admin role "{ADMIN_ROLE}"')
admin_role_name = keycloak.role_create({'name': ADMIN_ROLE})
roles[ADMIN_ROLE] = keycloak.role_get(admin_role_name)
if not any(
role['name'] == ADMIN_ROLE
for role in keycloak.group_role_list(groups[ADMIN_GROUP]['id'])):
logger.info(
f'Adding admin role "{ADMIN_ROLE}" to admin group "{ADMIN_GROUP}"')
keycloak.group_role_add(ADMIN_ROLE, groups[ADMIN_GROUP]['id'])
if not keycloak.user_list({'username': ADMIN_USER}):
logger.info(f'Creating admin account "{ADMIN_USER}"')
keycloak.user_create({
'username': ADMIN_USER,
'email': '*****@*****.**',
'firstName': 'Admin',
'lastName': 'RHub',
})
admin_user = keycloak.user_list({'username': ADMIN_USER})[0]
if not any(group['name'] == ADMIN_GROUP
for group in keycloak.user_group_list(admin_user['id'])):
logger.info(
f'Adding admin user "{ADMIN_USER}" to admin group "{ADMIN_GROUP}"')
keycloak.group_user_add(admin_user['id'], groups[ADMIN_GROUP]['id'])
for i in ['lab-owner', 'policy-owner']:
if i not in roles:
logger.info(f'Creating "{i}" role')
roles[i] = keycloak.role_create({'name': i})
if SHAREDCLUSTER_GROUP not in groups:
logger.info(f'Creating sharedcluster group "{SHAREDCLUSTER_GROUP}"')
group_id = keycloak.group_create({'name': SHAREDCLUSTER_GROUP})
groups[SHAREDCLUSTER_GROUP] = keycloak.group_get(group_id)
if SHAREDCLUSTER_ROLE not in roles:
logger.info(f'Creating sharedcluster role "{SHAREDCLUSTER_ROLE}"')
role_name = keycloak.role_create({'name': SHAREDCLUSTER_ROLE})
roles[SHAREDCLUSTER_ROLE] = keycloak.role_get(role_name)
if not any(role['name'] == SHAREDCLUSTER_ROLE for role in
keycloak.group_role_list(groups[SHAREDCLUSTER_GROUP]['id'])):
logger.info(f'Adding sharedcluster role "{SHAREDCLUSTER_ROLE}" '
f'to sharedcluster group "{SHAREDCLUSTER_GROUP}"')
keycloak.group_role_add(SHAREDCLUSTER_ROLE,
groups[SHAREDCLUSTER_GROUP]['id'])
if not keycloak.user_list({'username': SHAREDCLUSTER_USER}):
logger.info(f'Creating sharedclusters account "{SHAREDCLUSTER_USER}"')
keycloak.user_create({
'username': SHAREDCLUSTER_USER,
'email': f'nobody+{SHAREDCLUSTER_USER}@redhat.com',
'firstName': 'Shared Cluster',
'lastName': 'RHub',
})
sharedcluster_user = keycloak.user_list({'username':
SHAREDCLUSTER_USER})[0]
if not any(
group['name'] == SHAREDCLUSTER_GROUP
for group in keycloak.user_group_list(sharedcluster_user['id'])):
logger.info(f'Adding sharedcluster user "{SHAREDCLUSTER_USER}" '
f'to sharedcluster group "{SHAREDCLUSTER_GROUP}"')
keycloak.group_user_add(sharedcluster_user['id'],
groups[SHAREDCLUSTER_GROUP]['id'])